Identifying cross-site scripting (XSS) vulnerabilities
Cross-site scripting (XSS) is one of the most common vulnerabilities in web applications, in fact, it is considered third in the OWASP Top 10 from 2013 (https://www.owasp.org/index.php/Top_10_2013-Top_10).
In this recipe, we will see some key points to identify a cross-site scripting vulnerability in a web application.
How to do it...
Log into DVWA and go to XSS reflected.
The first step in testing for vulnerability is to observe the normal response of the application. Introduce a name in the text box and click on Submit. We will use
Bob
.The application used the name we provided to form a phrase. What happens if instead of a valid name we introduce some special characters or numbers? Let's try with
<'this is the 1st test'>
.Now we can see that anything we put in the text box will be reflected in the response, that is, it becomes a part of the HTML page in response. Let's check the page's source code to analyze how it presents the information...